- From: Hubauer, Thomas <thomas.hubauer@siemens.com>
- Date: Tue, 13 Jun 2023 17:18:40 +0000
- To: Jürgen Jakobitsch <juergen.jakobitsch@semantic-web.com>, Melvin Carvalho <melvincarvalho@gmail.com>
- CC: "semantic-web@w3.org" <semantic-web@w3.org>
- Message-ID: <AS2PR10MB7273B4CA93C6210D22AA9F728155A@AS2PR10MB7273.EURPRD10.PROD.OUTLOOK.COM>
Thanks Jürgen. I was admittedly a bit “lazy” here with correct use of terms. Actually, my initial response to the https requirement was exactly this: “Well, we can just redirect http to https, can’t we?” But this is exactly where security guys told me this is vulnerable to MITM and some of the answers on https://stackoverflow.com/questions/4365294/is-redirecting-http-to-https-a-bad-idea seem to support this view unless you can control the request header to ensure that the HSTS protocol is used. Since we do not control the client (is the person opening the ontology using Protégé, curl, or whatever), I do however not see how I could ensure HSTS use. Any thoughts on this? Von: Jürgen Jakobitsch <juergen.jakobitsch@semantic-web.com> Datum: Dienstag, 13. Juni 2023 um 19:07 An: Melvin Carvalho <melvincarvalho@gmail.com> Cc: Hubauer, Thomas (T DAI SMR-DE) <thomas.hubauer@siemens.com>, semantic-web@w3.org <semantic-web@w3.org> Betreff: Re: W3C position on URIs http:// vs. https:// :-) there is no such thing as "using a http URI for downloading" in the semantic web . what you can download is a document from a specific URL (mind the L) which contains well specified serializations of RDF triples the subject of which will be a URI. it's a matter of linked data deployment: curl -L -H "accept:text/turtle" http://www.turnguard.com/turnguard can respond with HTTP 303, Location: https://www.turnguard.com/turnguard.ttl (containing triples with http://www.turnguard.com/turnguard as the subject) in short a URI is not a URL ;-) Jürgen Jakobitsch Director of Infrastructure & Information Security Semantic Web Company GmbH EU: +43-14021235<tel:+43%201%204021235> US: (415) 800-3776<tel:(415)%20800-3776> Mobile: +43-676-6212710<tel:+43%20676%206212710> https://www.poolparty.biz<https://www.poolparty.biz/> https://www.semantic-web.com<https://www.semantic-web.com/> Download E-Book: Introducing Semantic AI<https://www.poolparty.biz/machine-learning-meets-semantics/> Am Di., 13. Juni 2023 um 17:49 Uhr schrieb Melvin Carvalho <melvincarvalho@gmail.com<mailto:melvincarvalho@gmail.com>>: út 13. 6. 2023 v 17:37 odesílatel Hubauer, Thomas <thomas.hubauer@siemens.com<mailto:thomas.hubauer@siemens.com>> napsal: Hi SemWeb community, One of my projects is considering making some of our ontologies accessible to customers. As part of these considerations, we have been discussing resolving ontology references (e.g. for imports) which lead us to some lengthy arguments about http:// vs. https:// as protocol part in our URIs (primarily ontology URIs, potentially element URIs as well). I am aware of a 2016 post (https://www.w3.org/blog/2016/05/https-and-the-semantic-weblinked-data/) stating that W3C currently considers http and https to be “equivalent” for w3c.org<http://w3c.org/>. However, the security guys I am working with are not too happy with this as using a http URI for downloading imported ontologies is vulnerable to a man-in-the-middle attack. I was unable to find any more recent statement by the W3C on the use of http vs. https. Specifically, I’d be interested to understand if this community (and the W3C) intend to stick with http for the foreseeable future, of if there’s any plans to migrate some/all URIs (e.g. ontology URIs but not element URIs) to https ? Would be nice for us to understand what “the outer world” plans so we can maybe take this as a blueprint for our own guidance on URIs. I'm with TimBL on this: "HTTPS Everywhere" considered harmful https://www.w3.org/DesignIssues/Security-NotTheS.html The Semantic Web has been around for a couple of decades. Is there any documented instance of an MITM attack on an ontology ever causing an issue? Best regards, Thomas
Received on Tuesday, 13 June 2023 17:18:49 UTC